Kubernetes NFS CSI Driver Vulnerability Exposes Clusters to Path Traversal Attacks A critical path traversal vulnerability has been discovered in the Kubernetes Container Storage Interface (CSI) Driver for NFS, potentially allowing attackers to delete or modify unintended directories on connected NFS servers. The flaw (tracked under CVE-2024-3177) arises from insufficient validation of the `subDir` parameter in volume identifiers, enabling malicious actors to exploit clusters where users can create PersistentVolumes referencing the NFS CSI driver. ### How the Vulnerability Works The issue lies in how the CSI driver processes the `subDir` parameter during volume operations. Attackers with permissions to create PersistentVolumes using the `nfs.csi.k8s.io` driver can craft volume identifiers containing path traversal sequences (e.g., `../`). When the driver executes deletion or cleanup operations, it may traverse outside the intended directory scope, leading to unauthorized modifications or deletions on the NFS server. For example, a maliciously crafted `volumeHandle` like `/tmp/mount-uuid/legitimate/../../../exports/subdir` could force the CSI controller to operate on unintended directories. ### Affected Systems & Risk Conditions Organizations are at risk if they meet all of the following criteria: - Running the NFS CSI Driver (`nfs.csi.k8s.io`) in their Kubernetes cluster. - Allowing non-administrator users to create PersistentVolumes referencing the NFS CSI driver. - Using a vulnerable version of the driver (all versions prior to v4.13.1). ### Detection & Exploitation Indicators Administrators can check for exposure by: - Inspecting PersistentVolumes using the NFS CSI driver for traversal sequences (e.g., `../`) in the `volumeHandle` field. - Reviewing CSI controller logs for suspicious directory operations, such as: ``` Removing subPath: /tmp/mount-uuid/legitimate/../../../exports/subdir ``` Clusters showing signs of exploitation should be reported to [email protected]. ### Remediation & Mitigation The primary fix is upgrading the NFS CSI Driver to v4.13.1 or later, which includes proper validation of traversal sequences. Interim measures include: - Restricting PersistentVolume creation privileges to trusted users. - Auditing NFS exports to ensure only intended directories are writable by the driver. ### Disclosure & Credits The vulnerability was responsibly disclosed by Shaul Ben Hai, Senior Staff Security Researcher at SentinelOne. The fix was developed by Andy Zhang and Rita Zhang of the CSI Driver for NFS maintainers, in coordination with the Kubernetes Security Response Committee.

Critical Code Execution Vulnerability in ingress-nginx Threatens Kubernetes Clusters A severe security flaw (CVE-2026-24512) has been identified in ingress-nginx, a widely used Kubernetes ingress controller, enabling authenticated attackers to execute arbitrary code and access sensitive cluster secrets. The vulnerability stems from improper handling of the `rules.http.paths.path` field in Ingress resources, allowing malicious configuration injection into the underlying NGINX web server. Exploitation requires only low-level privileges and no user interaction, with the attack vector accessible remotely over a network. In default configurations, the ingress-nginx controller has permissions to read all Secrets across a Kubernetes cluster, amplifying the potential impact. Successful exploitation could grant attackers full control over affected systems. ### Affected Versions & Mitigation The vulnerability impacts: - ingress-nginx < v1.13.7 (fixed in v1.13.7+) - ingress-nginx < v1.14.3 (fixed in v1.14.3+) The Kubernetes Security Response Committee urges administrators to upgrade immediately to patched versions. For environments where upgrades are delayed, a validating admission controller can be deployed to block Ingress resources using the `ImplementationSpecific` path type as a temporary workaround. ### Detection & Response Organizations can check for vulnerable deployments using: ```sh kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx ``` Signs of exploitation may include malformed data in `rules.http.paths.path` fields. If compromised, administrators should contact the Kubernetes security team at [email protected]. ### Long-Term Considerations The Kubernetes project has announced the end of maintenance for ingress-nginx, prompting organizations to evaluate alternative ingress solutions for sustained security.

A newly disclosed vulnerability in Kubernetes has been identified that could allow compromised nodes to bypass critical authorization checks within the container orchestration platform. The security flaw, tracked as CVE-2025-4563, affects the NodeRestriction admission controller and poses potential risks for organizations utilizing dynamic resource allocation features in their Kubernetes clusters. The vulnerability allows attackers to create unauthorized mirror pods, enabling privilege escalation attacks. Kubernetes versions 1.32.0-1.32.5 and 1.33.0-1.33.1 are vulnerable. Upgrade immediately to versions 1.32.6 or 1.33.2 to mitigate the risk.